North Dallas Bank, $1.1 billion in assets, saw its debit card-related fraud rise 300% over the past two years. Then, immediately after installing a device [Thales' HSM 8000] that verifies PIN numbers, fraud levels fell 73%. "You could say it's just a sign of of the times," acknowledges Greg Niemeyer, executive vice president of marketing and operations, although the economy has not improved and financial fraud tends to rise during downturns. "Does this reflect PCI compliance? Are people being a little more observant? Probably. But we have to believe the more you can do to protect your data the better off you are."
Although North Dallas is primarily a commercial bank, it has many retail customers as well. It issues about 8,000 consumer cards and 4,000 commercial cards.
The hardware security module the bank is using verifies and encrypts each PIN. "There's no key exchange with anybody else and the system has a lock on it so it can't be changed," Niemeyer says. "The generation of any key takes three people, and there are controls to help us manage what we need for the payment industry requirements."
Previously, the bank outsourced PIN verification to a large bank. "Our concern has always been, we know what we do with our data, we just don't know what anybody else does," Niemeyer says. "The less you let somebody else touch your data, the better off you are. We do almost everything still in house, and try to do as little outsourcing as we can, at least for data that's customer sensitive. It requires more of us, but we believe customers are willing to pay for it."
Niemeyer would not say how much the bank spent on this security solution. "There were lesser options cost-wise, but cost isn't what drives us," he says. "It has to be considered, but you have to think long-term on some of this stuff. You want someone who sets the standard, not somebody who follows the standard."
The new solution has another benefit: it helps to synchronize data from different channels. "We went through a process of trying to get all our customer-facing channels to reflect the same thing," Niemeyer notes. "Without the hardware security module we couldn't do that because we had to have someone else do PIN verification." Today, core, ATM, voice banking, online banking and cash management systems all reflect the same transaction data. "You can use your debit card at Starbucks, then click on your online banking account on your laptop up and see your transaction's posted," Niemeyer says.
Security wise, the bank has taken other steps to protect customers from various types of fraud. The bank monitors ATM, internet and cash management transactions for anything out of band, such as large dollar transactions. "Being a commercial bank we have tons of them," he notes. The bank has created a voice system that verifies number of items, dollar amount and code word on ACH files. "Knock wood, we haven't had any losses from anything that's internet driven," Niemeyer says.